def create_acl_secret(secret=None, user_ids=[], session=None):
acl_secret = models.SecretACL(secret.id, "read")
acl_secret.secret_id = secret.id
acl_secret_repo = repositories.get_secret_acl_repository()
acl_secret_repo.create_from(acl_secret, session=session)
return acl_secret
def test_new_secretacl_expect_user_ids_as_list(self):
acl = models.SecretACL(self.secret_id, self.operation, None,
{'aUser': '******'})
self.assertEqual(0, len(acl.acl_users))
def on_put(self, external_project_id, **kwargs):
"""Handles update of existing secret acl requests.
Replaces existing secret ACL(s) with input ACL(s) data. Existing
ACL operation not specified in input are removed as part of update.
For missing project-access in ACL, true is used as default.
In update, multiple operation ACL payload can be specified as
mentioned in sample below. A specific ACL can be updated by its
own id via SecretACLController patch request.
{
"read":{
"users":[
"5ecb18f341894e94baca9e8c7b6a824a",
"20b63d71f90848cf827ee48074f213b7",
"c7753f8da8dc4fbea75730ab0b6e0ef4"
]
},
"write":{
"users":[
"5ecb18f341894e94baca9e8c7b6a824a"
],
"project-access":false
}
}
Every secret, by default, has an implicit ACL in case client has not
defined an explicit ACL. That default ACL definition, DEFAULT_ACL,
signifies that a secret by default has project based access i.e. client
with necessary roles on secret project can access the secret. That's
why when ACL is added to a secret, it always returns 200 (and not 201)
indicating existence of implicit ACL on a secret.
"""
data = api.load_body(pecan.request, validator=self.validator)
LOG.debug('Start on_put...%s', data)
existing_acls_map = {
acl.operation: acl
for acl in self.secret.secret_acls
}
for operation in itertools.ifilter(lambda x: data.get(x),
validators.ACL_OPERATIONS):
project_access = data[operation].get('project-access', True)
user_ids = data[operation].get('users', [])
s_acl = None
if operation in existing_acls_map: # update if matching acl exists
s_acl = existing_acls_map.pop(operation)
s_acl.project_access = project_access
else:
s_acl = models.SecretACL(self.secret.id,
operation=operation,
project_access=project_access)
self.acl_repo.create_or_replace_from(self.secret,
secret_acl=s_acl,
user_ids=user_ids)
# delete remaining existing acls as they are not present in input.
for acl in six.itervalues(existing_acls_map):
self.acl_repo.delete_entity_by_id(entity_id=acl.id,
external_project_id=None)
acl_ref = '{0}/acl'.format(hrefs.convert_secret_to_href(
self.secret.id))
return {'acl_ref': acl_ref}
def test_new_secretacl_for_bare_minimum_input(self):
acl = models.SecretACL(self.secret_id, self.operation, None, None)
self.assertEqual(self.secret_id, acl.secret_id)
self.assertEqual(0, len(acl.acl_users))
self.assertEqual(self.operation, acl.operation)
self.assertIsNone(acl.project_access)
def test_create_or_replace_from_for_existing_acls(self):
"""Check create_or_replace_from and get count call.
It modifies existing acls with users and make sure that updated users
and project_access flag changes are returned when acls are queries by
secret id. It uses get count to assert expected number of acls for that
secret.
"""
session = self.acl_repo.get_session()
secret = self._create_base_secret()
acl1 = self.acl_repo.create_from(models.SecretACL(secret.id, 'read'),
session)
self.acl_repo.create_or_replace_from(secret,
acl1,
user_ids=['u1', 'u2'],
session=session)
acl2 = self.acl_repo.create_from(models.SecretACL(secret.id, 'write'),
session)
self.acl_repo.create_or_replace_from(secret,
acl2,
user_ids=['u1', 'u2', 'u3'],
session=session)
acl3 = self.acl_repo.create_from(models.SecretACL(secret.id, 'list'),
session)
self.acl_repo.create_or_replace_from(secret,
acl3,
user_ids=[],
session=session)
acls = self.acl_repo.get_by_secret_id(secret.id, session)
self.assertEqual(3, len(acls))
id_map = self._map_id_to_acl(acls)
# replace users in existing acls
id_map[acl1.id].project_access = False
self.acl_repo.create_or_replace_from(secret,
id_map[acl1.id],
user_ids=['u5'],
session=session)
self.acl_repo.create_or_replace_from(secret,
id_map[acl2.id],
user_ids=['u1', 'u2', 'u3', 'u4'],
session=session)
self.acl_repo.create_or_replace_from(secret,
id_map[acl3.id],
user_ids=['u1', 'u2', 'u4'],
session=session)
session.commit() # commit the changes made so far
acls = self.acl_repo.get_by_secret_id(secret.id, session)
id_map = self._map_id_to_acl(acls)
self.assertEqual(3, len(acls))
self.assertFalse(id_map[acl1.id].project_access)
self.assertTrue(id_map[acl2.id].project_access)
self.assertTrue(id_map[acl3.id].project_access)
self._assert_acl_users(['u5'], acls, acl1.id)
self._assert_acl_users(['u1', 'u2', 'u3', 'u4'], acls, acl2.id)
self._assert_acl_users(['u1', 'u2', 'u4'], acls, acl3.id)